1 Reply Latest reply on Nov 22, 2011 11:59 AM by damageinc

    HIPS policy tuning questions

      Hello,

       

      I've been working on policy tuning HIPS policies for a large enterprise network. A couple of things that came up in the logs were puzzling/suspicious; I was hoping to get some feedback from someone as to the perceived risk.

       

      1.) In several event logs I get events with a 'threat source process name' of "**\CMD.exe". It occurred to me that this could be a way to run a trojaned version of cmd.exe in a different directory than the standard c:\windows\system32 directory. Is this something to be concerned about, or does this happen as a normal way of Windows doing its routine business?

       

      2.) I've gotten a bunch of event logs with a "threat source user name" of "Domain Unknown\User Unknown". Why would this user account name come up in an event log?? Most other logs have domain user accounts, or, if it's a local user account, have a "<machine name>\<username> format. Is this something to be concerned about? I'm hesitant to make an exception for this user account because it looks like it would be equivalent to making an exception for an anonymous user.

       

      Thanks in advance,

       

      MG

        • 1. Re: HIPS policy tuning questions
          damageinc

          I too have seen the "**\process.exe" thing.  This seems to be a DoD-specific problem.

           

          I have asked McAfee about this issue, and they've said that they have never seen this problem before.  For us, we get these way too much to be a one-off problem.  My belief is that it has something with the way Application Blocking exceptions are written.  I would love to know the solution if there is one, as there seems to be no way to allow for HIPS exceptions for these items.